State Progress on Election Cybersecurity

The Center for American Progress (CAP) recently released a report titled, “Election Security in All 50 States,” which gave a grade of C or lower to 40 states. In fact, no state received a perfect A grade. While Former Homeland Security Secretary Jeh Johnson also said that many states have done little to nothing to prepare since 2016, we don’t believe that’s true. To the contrary, states are well underway in their preparations for the 2018 midterm elections, which are expected to be under increased scrutiny as a result of Russian influence operations designed to sow doubt and fear in the US election process. Director of National Intelligence Daniel Coats stated, “At a minimum, we expect Russia to continue using propaganda, social media, false-flag personas, sympathetic spokespeople, and other means of influence to try to exacerbate social and political fissures in the United States.” It is important to recognize that states in many cases are doing very important work to make their election infrastructure more resilient. Here we highlight six states that, over the past six months, have made substantial progress in improving the security of their election systems and making them more resistant to foreign influence.

Colorado: Risk-limiting Audits

The Colorado Secretary of State adopted Election Rule 25 to mandate how counties would conduct risk-limiting audits (RLAs) beginning with the November 7, 2017 election. An RLA of the results bridges the gap between wholly trusting vote tabulation machine results and completing a full manual recount of all ballots. The audit involves a manual recount of a random sample of the ballots using statistics to determine with a high level of confidence that that voting machine count is accurate. Implementing RLAs required Colorado to have capable voting machines and significant training in the state’s 64 counties. The RLAs were successfully completed just two weeks after the election.

Illinois: Mandatory Cybersecurity Training

For many election officials and staff, cybersecurity may be a new concept, requiring training and recalibration to the new reality that cybersecurity is everyone’s responsibility. In Illinois, annual cybersecurity training from the Department of Innovation and Technology (DoIT) became mandatory for state employees as of January 1, 2018. DoIT is focused on preventing phishing attacks like those used against Clinton campaign chairman John Podesta, 122 state and local election jurisdictions, and voting machine manufacturers. People will always be the weakest link in the cybersecurity chain. Mandatory annual cybersecurity training will provide the state with the opportunity to reinforce fundamental practices and adapt training to meet new threats.

Rhode Island: Security Risk Assessment

The state issued a Request for Proposals (RFP) for a Security Risk Assessment of its Department of State according to the ISO 27001/27002 or NIST Cybersecurity Framework standard. Such assessments are a key part of understanding how current activities may need to be modified or supplemented to address new threats. The Assessment is slated to be completed by May 2018. It should provide the Rhode Island Secretary of State with a roadmap of gaps and deficiencies as well as remediation options to address them. This systematic approach recognizes the ever-evolving nature of the election security threat landscape.

Washington: Multi-State Information Sharing

As one of the 21 states identified as being targets of Russian hacking attempts, Washington partnered with the Department of Homeland Security (DHS) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) in September. The goal of the three-month pilot project announced in September was to assess vulnerabilities and identify mitigation plans; share information; rely on DHS for local in-person support; and report incidents or threats. Sharing technical and non-technical data about incidents to other states via the MS-ISAC is critical in keeping election officials and DHS informed of potential attacks and defensive measures.

West Virginia: Air National Guard

The West Virginia Secretary of State announced in September a partnership with the Air National Guard to assess election systems and monitor those systems for malicious activity. Under the partnership, an Air National Guard Cyber Systems Operations specialist will be embedded in the Secretary of State’s office, as well as in the West Virginia Intelligence Fusion Center. The benefit of embedding a specialist in those offices is to link the mission of the National Guard with the needs of the election officials and the situational awareness of law enforcement officials monitoring criminal and terrorist activities in the state.

Election security is the process of anticipating and responding to ever-evolving threats in an environment where voter confidence can be swayed just as much by perception as reality. The CAP report and recent news reports only provide a snapshot of where states fall short in their security efforts. Some states, like Colorado, Illinois, Rhode Island, Washington, and West Virginia, are already on their way to improving their election security grade. We would love to hear about other efforts states are engaged in to better defend against, detect, and recover from attacks.

Election Security Grades by State – Center for American Progress (February 2018)